Fortigate Dialup S2S VPN basic setup (pre-ADVPN)

on

 




Lab Fortigate 7.2.0

spoke to spoke traffic is not considered in this lab


Hub configuration

1. VPN



Add route default is Enabled, which will inject Spoke subnets into Hub routing table,  requires Spoke has proper traffic selector configured. 

When net-device is disabled, all dialup tunnels share an interface on the hub. The tunnel selection process is based on the tunnel search method. Using a shared interface eliminates the time needed for dynamic interface creation and tear-down. When net-device is enabled, dynamic interfaces are created on the hub for each dialup tunnel. This means that potentially many dynamic interfaces could be created at start-up in a large scale deployment.


When Net-device is Enabled

  • A unique virtual tunnel interface is created for the connection.
  • You can apply:
    • SD‑WAN rules
    • Interface‑based policies
    • Per‑interface monitoring
  • It is common in SD‑WAN overlay IPsec tunnels and advanced routing scenarios



Accept Types can be Any Peer ID, or optional Specific peer ID




Specify Hub LAN subnets as Local Address, all zero as Remote Address for all spokes.


2. Firewall Policy




Spoke 1 Configuration

1. VPN





       Local Address need be configured so Hub can automatically inject a static route in routing table.

seems the injected route is not from local FW configuration, it is based on Phase 2 selector, Hub has all 0 remote subnet configured, doesn't match local configured selectors, so static route to hub LAN can't be injected in dialup VPN spoke firewall, hence we need the next step to add a static route to Hub LAN.

2. Static Route


3. Firewall Policy







Spoke2 has similar configuration.


Verification

on Hub:
























Comments

Post a Comment